Merge branch 'main' of gitlab.cryptoworkshop.com:root/bc-java

Author: dghgit

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMEngine.java

@@ -188,6 +188,11 @@ public void init(SecureRandom random)
         this.random = random;
     }
 
+    boolean checkModulus(byte[] t)
+    {
+        return PolyVec.checkModulus(this, t) < 0;
+    }
+
     public byte[][] generateKemKeyPair()
     {
         byte[] d = new byte[KyberSymBytes];
@@ -224,9 +229,9 @@ public byte[][] generateKemKeyPairInternal(byte[] d, byte[] z)
         };
     }
 
-    public byte[][] kemEncryptInternal(byte[] publicKeyInput, byte[] randBytes)
+    byte[][] kemEncrypt(MLKEMPublicKeyParameters publicKey, byte[] randBytes)
     {
-        byte[] outputCipherText;
+        byte[] publicKeyInput = publicKey.getEncoded();
 
         byte[] buf = new byte[2 * KyberSymBytes];
         byte[] kr = new byte[2 * KyberSymBytes];
@@ -240,7 +245,8 @@ public byte[][] kemEncryptInternal(byte[] publicKeyInput, byte[] randBytes)
         symmetric.hash_g(kr, buf);
 
         // IndCpa Encryption
-        outputCipherText = indCpa.encrypt(publicKeyInput, Arrays.copyOfRange(buf, 0, KyberSymBytes), Arrays.copyOfRange(kr, 32, kr.length));
+        byte[] outputCipherText = indCpa.encrypt(publicKeyInput, Arrays.copyOfRange(buf, 0, KyberSymBytes),
+            Arrays.copyOfRange(kr, 32, kr.length));
 
         byte[] outputSharedSecret = new byte[sessionKeyLength];
 
@@ -252,8 +258,10 @@ public byte[][] kemEncryptInternal(byte[] publicKeyInput, byte[] randBytes)
         return outBuf;
     }
 
-    public byte[] kemDecryptInternal(byte[] secretKey, byte[] cipherText)
+    byte[] kemDecrypt(MLKEMPrivateKeyParameters privateKey, byte[] cipherText)
     {
+        byte[] secretKey = privateKey.getEncoded();
+
         byte[] buf = new byte[2 * KyberSymBytes],
                 kr = new byte[2 * KyberSymBytes];
 
@@ -282,21 +290,6 @@ public byte[] kemDecryptInternal(byte[] secretKey, byte[] cipherText)
         return Arrays.copyOfRange(kr, 0, sessionKeyLength);
     }
 
-    MLKEMIndCpa getIndCpa()
-    {
-        return indCpa;
-    }
-
-    byte[][] kemEncrypt(byte[] publicKeyInput, byte[] randBytes)
-    {
-        return kemEncryptInternal(publicKeyInput, randBytes);
-    }
-    
-    byte[] kemDecrypt(byte[] secretKey, byte[] cipherText)
-    {
-        return kemDecryptInternal(secretKey, cipherText);
-    }
-
     private void cmov(byte[] r, byte[] x, int xlen, boolean b)
     {
         if (b)
@@ -308,9 +301,4 @@ private void cmov(byte[] r, byte[] x, int xlen, boolean b)
             System.arraycopy(r, 0, r, 0, xlen);
         }
     }
-
-    public void getRandomBytes(byte[] buf)
-    {
-        this.random.nextBytes(buf);
-    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMExtractor.java

@@ -21,7 +21,7 @@ public MLKEMExtractor(MLKEMPrivateKeyParameters privateKey)
 
     public byte[] extractSecret(byte[] encapsulation)
     {
-        return engine.kemDecrypt(privateKey.getEncoded(), encapsulation);
+        return engine.kemDecrypt(privateKey, encapsulation);
     }
 
     public int getEncapsulationLength()

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMGenerator.java

@@ -20,23 +20,19 @@ public MLKEMGenerator(SecureRandom random)
 
     public SecretWithEncapsulation generateEncapsulated(AsymmetricKeyParameter recipientKey)
     {
-        MLKEMPublicKeyParameters key = (MLKEMPublicKeyParameters)recipientKey;
-        MLKEMEngine engine = key.getParameters().getEngine();
-        engine.init(sr);
-
         byte[] randBytes = new byte[32];
-        engine.getRandomBytes(randBytes);
+        sr.nextBytes(randBytes);
 
-        byte[][] kemEncrypt = engine.kemEncrypt(key.getEncoded(), randBytes);
-        return new SecretWithEncapsulationImpl(kemEncrypt[0], kemEncrypt[1]);
+        return internalGenerateEncapsulated(recipientKey, randBytes);
     }
+
     public SecretWithEncapsulation internalGenerateEncapsulated(AsymmetricKeyParameter recipientKey, byte[] randBytes)
     {
         MLKEMPublicKeyParameters key = (MLKEMPublicKeyParameters)recipientKey;
         MLKEMEngine engine = key.getParameters().getEngine();
         engine.init(sr);
 
-        byte[][] kemEncrypt = engine.kemEncryptInternal(key.getEncoded(), randBytes);
+        byte[][] kemEncrypt = engine.kemEncrypt(key, randBytes);
         return new SecretWithEncapsulationImpl(kemEncrypt[0], kemEncrypt[1]);
     }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/MLKEMPublicKeyParameters.java

@@ -17,40 +17,43 @@ public MLKEMPublicKeyParameters(MLKEMParameters params, byte[] t, byte[] rho)
     {
         super(false, params);
 
-        validatePublicKey(params.getEngine(), getEncoded(t, rho));
+        MLKEMEngine engine = params.getEngine();
+
+        if (t.length != engine.getKyberPolyVecBytes())
+        {
+            throw new IllegalArgumentException("'t' has invalid length");
+        }
+        if (rho.length != MLKEMEngine.KyberSymBytes)
+        {
+            throw new IllegalArgumentException("'rho' has invalid length");
+        }
 
         this.t = Arrays.clone(t);
         this.rho = Arrays.clone(rho);
+
+        if (!engine.checkModulus(this.t))
+        {
+            throw new IllegalArgumentException("Modulus check failed for ML-KEM public key");
+        }
     }
 
     public MLKEMPublicKeyParameters(MLKEMParameters params, byte[] encoding)
     {
         super(false, params);
 
-        validatePublicKey(params.getEngine(), encoding);
+        MLKEMEngine engine = params.getEngine();
 
-        this.t = Arrays.copyOfRange(encoding, 0, encoding.length - MLKEMEngine.KyberSymBytes);
-        this.rho = Arrays.copyOfRange(encoding, encoding.length - MLKEMEngine.KyberSymBytes, encoding.length);
-    }
-
-    private static void validatePublicKey(MLKEMEngine engine, byte[] publicKeyInput)
-    {
-        // Input validation (6.2 ML-KEM Encaps)
-        // length Check
-        if (publicKeyInput.length != engine.getKyberIndCpaPublicKeyBytes())
+        if (encoding.length != engine.getKyberIndCpaPublicKeyBytes())
         {
-            throw new IllegalArgumentException("length check failed for ml-kem public key construction");
+            throw new IllegalArgumentException("'encoding' has invalid length");
         }
 
-        // Modulus Check
-        PolyVec polyVec = new PolyVec(engine);
-        MLKEMIndCpa indCpa = engine.getIndCpa();
+        this.t = Arrays.copyOfRange(encoding, 0, encoding.length - MLKEMEngine.KyberSymBytes);
+        this.rho = Arrays.copyOfRange(encoding, encoding.length - MLKEMEngine.KyberSymBytes, encoding.length);
 
-        byte[] seed = indCpa.unpackPublicKey(polyVec, publicKeyInput);
-        byte[] ek = indCpa.packPublicKey(polyVec, seed);
-        if (!Arrays.areEqual(ek, publicKeyInput))
+        if (!engine.checkModulus(this.t))
         {
-            throw new IllegalArgumentException("modulus check failed for ml-kem public key construction");
+            throw new IllegalArgumentException("Modulus check failed for ML-KEM public key");
         }
     }
 

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/Poly.java

@@ -340,5 +340,20 @@ public String toString()
         out.append("]");
         return out.toString();
     }
-}
 
+    static int checkModulus(byte[] a, int off)
+    {
+        int result = -1;
+        for (int i = 0; i < MLKEMEngine.KyberN / 2; ++i)
+        {
+            int a0 = a[off + 3 * i + 0] & 0xFF;
+            int a1 = a[off + 3 * i + 1] & 0xFF;
+            int a2 = a[off + 3 * i + 2] & 0xFF;
+            short c0 = (short)(((a0 >> 0) | (a1 << 8)) & 0xFFF);
+            short c1 = (short)(((a1 >> 4) | (a2 << 4)) & 0xFFF);
+            result &= Reduce.checkModulus(c0);
+            result &= Reduce.checkModulus(c1);
+        }
+        return result;
+    }
+}

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/PolyVec.java

@@ -269,4 +269,14 @@ public String toString()
         out.append("]");
         return out.toString();
     }
+
+    static int checkModulus(MLKEMEngine engine, byte[] inputBytes)
+    {
+        int result = -1;
+        for (int i = 0, k = engine.getKyberK(); i < k; i++)
+        {
+            result &= Poly.checkModulus(inputBytes, i * MLKEMEngine.KyberPolyBytes);
+        }
+        return result;
+    }
 }

core/src/main/java/org/bouncycastle/pqc/crypto/mlkem/Reduce.java

@@ -32,4 +32,9 @@ public static short conditionalSubQ(short a)
         return a;
     }
 
+    // NB: We only care about the sign bit of the result: it will be 1 iff the argument was in range
+    static int checkModulus(short a)
+    {
+        return a - MLKEMEngine.KyberQ;
+    }
 }

core/src/test/java/org/bouncycastle/pqc/crypto/test/MLKEMTest.java

@@ -416,13 +416,12 @@ public void testModulus() throws IOException
 
                 try
                 {
-                    MLKEMPublicKeyParameters pubParams = (MLKEMPublicKeyParameters)PublicKeyFactory.createKey(
-                        SubjectPublicKeyInfoFactory.createSubjectPublicKeyInfo(new MLKEMPublicKeyParameters(parameters, key)));
+                    new MLKEMPublicKeyParameters(parameters, key);
                     fail();
                 }
                 catch (IllegalArgumentException e)
                 {
-                    assertEquals("modulus check failed for ml-kem public key construction", e.getMessage());
+                    assertEquals("Modulus check failed for ML-KEM public key", e.getMessage());
                 }
             }
         }